From owner-freebsd-questions  Sat Oct 26 15: 8: 5 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 316C937B401
	for <questions@FreeBSD.ORG>; Sat, 26 Oct 2002 15:08:04 -0700 (PDT)
Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5EBDD43E6E
	for <questions@FreeBSD.ORG>; Sat, 26 Oct 2002 15:08:03 -0700 (PDT)
	(envelope-from freebsd-questions-local@be-well.no-ip.com)
Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged))
	by be-well.ilk.org (8.12.6/8.12.5) with ESMTP id g9QM7xYs065825;
	Sat, 26 Oct 2002 18:07:59 -0400 (EDT)
	(envelope-from freebsd-questions-local@be-well.no-ip.com)
Received: (from lowell@localhost)
	by be-well.ilk.org (8.12.6/8.12.6/Submit) id g9QM7wlW065817;
	Sat, 26 Oct 2002 18:07:58 -0400 (EDT)
X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f
To: "Unix Tools" <unixtools@hotmail.com>
Cc: "Adam Bender" <abender@andrew.cmu.edu>, <questions@FreeBSD.ORG>
Subject: Re: Setting permissions for a user
References: <Pine.GSO.4.44L-027.0210260058190.21991-100000@unix13.andrew.cmu.edu>
	<OE74vxtJ08v7jWLhZS600007a0e@hotmail.com>
From: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com>
Date: 26 Oct 2002 18:07:57 -0400
In-Reply-To: <OE74vxtJ08v7jWLhZS600007a0e@hotmail.com>
Message-ID: <44y98konuq.fsf@be-well.ilk.org>
Lines: 16
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

"Unix Tools" <unixtools@hotmail.com> writes:

> Assign the user an rbash shell.
> Quite restrictive.

It's not restrictive enough for a potentially malicious user (which is
the case here, because the original poster knew the password could be
sniffed).  If you're going to give a shell at all in such cases, you
need to use jail(8) or at least chroot(8).  In this case, the original
poster specifically said he wanted to give the account no password at
all (which is, of course, even more restrictive), so these are
overkill for this situation.

Restricted shells really aren't for security uses.  They are too easy
to break out of (if you let them run any useful programs, anyway).


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message